Using the Cloud to Secure the Cloud

Multi-cloud environments provide enterprises with the ability to mix and match private clouds with multiple public clouds. The “multi” in multi-cloud raises the importance of connectivity between and among those clouds, and of securing that connectivity. The “cloud” aspect also adds complexity to achieving that security. You can’t march into a data center owned by Amazon Web Services (AWS), Microsoft Azure, or IBM and demand to install your encryption appliance to protect your links.

Relying on application-level security is another option, but it puts the onus on developers to adhere to security standards. Furthermore, these developers may not be security experts, the security is not easily testable, and it may not be controlled by your IT team.

A better approach is to be more systematic and provide software-based encryption at the network layer. That means leveraging virtualization to host a software encryption solution in the cloud infrastructure.

What is Multi-Cloud?

Before we get too deep, let’s establish exactly what is meant by “multi-cloud.”

Multi-cloud is the combination of multiple public, private, and onsite cloud resources, all connected to public internet and/or private links. Multi-cloud enables enterprises to combine the low-latency of onsite clouds with the scalable, resilient, and on-demand resources found in the public cloud. With multi-cloud, customers can move workloads from cloud to cloud, with decisions based on the availability, performance, and cost of those resources. In short, multi-cloud is the next logical step in the evolution of cloud computing. However, this move is not without complications.

Multi-Cloud Requires Connectivity

The drawback of multi-cloud is the need for connectivity between the constituent clouds. And not just any connectivity: it must be fast, reliable, and secure. In practice, the first two requirements are increasingly easy to meet. Data center interconnect (DCI) has grown to make fast and reliable connections ubiquitous, at least for private and directly connected links.

The direct connect model is a popular option, when available. This is where a communications provider has a connection to a cloud provider that bypasses the public internet. The connection can be at either Layer 2 or Layer 3, depending on the cloud operator. MPLS or Carrier Ethernet (CE) are often supported. Note that CE is of particular interest for two reasons: the cost advantages, and Layer 2 transparency supports native cloud networking. Note that direct connections are usually transparent, and as such they are not secured.

Internet connectivity is another matter entirely. It is true that internet connections have significantly improved over the years, especially regarding speed and reliability. It can also reach just about any location on the planet. But they are not secure, and securing them is not trivial. Appliance-based encryption is a popular solution for customer-based endpoints. However, data centers don’t allow customer-provided equipment, so this approach won’t work when either end of the connection lands in a data center.

An example multi-cloud network is shown below. It includes a variety of public and private clouds, as well as different access methods.

Source: ADVA Optical Networking.

To achieve the benefits of multi-cloud, enterprises need a security solution that fits into the network scenarios listed and shown above. A suitable solution must meet these requirements:

Work with on-net and off-net connections

Work with wired and wireless connections

Work when connected at Layer 2 and Layer 3, and provide Layer 2 transparency when needed

Support deployment in the customer site and the data center

Provide efficient management — both for networking and encryption

Be cost effective — both for an initial deployment and at scale

How can we secure these connections, meet the requirements listed above, and provide Layer 2 transparency for efficient cloud networking?

Advances in Software-Based Encryption

Fortunately, there is an answer: software-based encryption.

The move to network functions virtualization (NFV) has driven rapid advances in the availability and performance of virtual network functions (VNFs). VNFs can now replace network appliances, including those that provide security and encryption. Now it is possible to host network-level encryption functions in a virtual machine (VM) or in a container running in a cloud, whether local or public. For improved performance, the encryption could be part of the transport Layer of the VNF hosting software.

The availability of a virtualized solution means that we can now create secure transport wherever needed, as shown below.

Source: ADVA Optical Networking.

With software-based encryption, we can place the endpoints in the public cloud, providing an end-to-end solution. With an appropriate feature set, we can also provide for connectivity at Layer 2 or Layer 3, regardless of the available transport.

The ideal approach is to implement the software encryption as a software VNF, or as a plug-in to the NFV infrastructure software. That way, the encryption functionality can be combined with other VNFs, such as software-defined wide area networking (SD-WAN), to form a complete virtualized service.

Cloud-Based Security Provides an End-To-End Solution

Multi-cloud is a powerful new option for enterprise customers, but it has its complexities — especially regarding security. Users need a simple and consistent way to protect the data-in-motion going between the clouds. Now, with virtualized security solutions, enterprises can take advantage of multi-cloud while protecting their data. Even better, this protection extends from end to end, and from VM to VM. Cloud computing has opened new opportunities for scalable and on-demand computing. Now we can use the cloud to protect the cloud, and ensure the safety of mission-critical applications and data.

Statements and opinions expressed in articles, reviews and other materials herein are those of the authors; not the editors and publishers.

While every care has been taken in the selection of this information and reasonable attempts are made to present up-to-date and accurate information, SDxCentral, LLC cannot guarantee that inaccuracies will not occur. SDxCentral will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within this site, or any information accessed through this site.

The content of any third party web site which you link to from the SDxCentral site are entirely out of the control of SDxCentral, and you proceed at your own risk. These links are provided purely for your convenience. They do not imply SDxCentral's endorsement or association. The copyright and any other intellectual property right any third party content belongs to the author and/or other applicable third party.

Prayson Pate is ADVA Optical Networking’s chief technology officer for the Ensemble division and is a thought leader and an evangelist for network functions virtualization (NFV). He speaks at industry events and writes posts and articles to inform, educate and entertain, mostly about NFV with plenty of innovation for good measure. Prayson has contributed to standards bodies such as the MEF and IETF. He is a named inventor on nine patents.

Comments

I just want to expand on the application-level security. The developers are far from security experts but this is to be expected and will probably always be the case. In addition, the web application and web servers are built/configured/designed by two different entities – companies or teams etc. This leaves a gap that needs to be filled. But by what?

The web started with text files, then to Hypertext Markup Language (HTML) and JAVAscript and now to API. More of a reason to fill this gap with appropriate measures.

In response to Matt, this is where a vulnerability scanning solution like Acunetix could help.

With the uptake of cloud computing and the advancements in browser technology, web applications and web services have become a core component of many business processes, and therefore a lucrative target for attackers.

Acunetix available also as a cloud solution, automatically detects and reports a wide array of vulnerabilities in applications built on various architectures. A must have for a security conscious team.

Thank you Prayson, I read that blog – > Nicely written! The layered approach reminds on of an onion!! Every layer has to work independently and each layer doesn’t know if the layer above or below is efficiently securing and doing its job.

New Report: 2018 Future of the Converged Data Center

2018 Future of the Converged Data Center is available for free download. In this FREE Report, find out why CI and HCI are the hot new platforms in 2018, and understand their relevance to enterprise, cloud and service provider data centers.

About SDxCentral

Engage With us

This material may not be copied, reproduced, or modified in whole or in part for any purpose except with express written permission from an authorized representative of SDxCentral, LLC. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All Rights Reserved.

Please enter your Business Email to view this asset:

We are requesting you provide a valid business, education, non-profit or government email address not from free or temporary email providers or ISPs. If you feel that our filters are incorrectly disallowing your email, please contact us at support@sdxcentral.com.